SAP Cyber Threat Intelligence Report – March 2017

The SAP threat landscape is always growing thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight on the latest security threats and vulnerabilities.

Key takeaways

This month, the software vendor releases a record-breaking number of security Notes for 2017. The recent patch update consists of 35 SAP Security Notes;

An RCE vulnerability in the SAP GUI client was closed. Millions of end users could fall victims;

HANA vulnerabilities are on the rise. This month, 5 Notes addressing this platform were released, one of which were rated 9.8.

SAP Security Notes – March 2017

SAP has released the monthly critical patch update for March 2017. This patch update includes 35 SAP Notes (28 SAP Security Patch Day Notes and 7 Support Package Notes).

4 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 7 of all the Notes are updates to previously released Security Notes.

8 of the released SAP Security Notes has a High priority rating and 1 was assessed Hot news. The highest CVSS score of the vulnerabilities is 9.8.

Below are the details of the SAP vulnerability, which was identified by ERPScan researchers.

A Remote command execution vulnerability in SAP GUI for Windows (CVSS Base Score: 8.0). Update is available in SAP Security Note 2407616. An attacker can exploit a Remote command execution vulnerability for unauthorized execution of commands remotely. The commands will run with the same privileges as the service that executed them.
SAPGUI is the graphical user interface client. It is the platform used for remote access to the SAP central server in a company network. It allows an SAP user to access functionality in SAP applications such as SAP ERP, SAP Business Suite (SAP CRM, SAP SCM, SAP PLM, and others), SAP Business Intelligence.

A Denial of service vulnerability in SAP Netweaver Dynpro Engine (CVSS Base Score: 7.5). Update is available in SAP Security Note 2405918. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody can use this service, which affects business processes, system downtime and, as a result, business reputation.

A Denial of service vulnerability in SAP Visual Composer (CVSS Base Score: 7.5). Update is available in SAP Security Note 2399804. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody can use this service, which affects business processes, system downtime and, as a result, business reputation.

A Cross-Site Scripting vulnerability in SAP Enterprise Portal (CVSS Base Score: 6.1). Update is available in SAP Security Note 2408100. An attacker can use a Cross-site scripting vulnerability to injecting a malicious script into a page.

A Denial of service vulnerability in SAP Java Script Engine (CVSS Base Score: 2.7). Update is available in SAP Security Note 2406841. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody can use this service, which affects business processes, system downtime and, as a result, business reputation.

SAP HANA Vulnerabilities closed by SAP Security Notes March 2017

SAP HANA was first introduced in 2010 and is marketed as a platform converging application and database capabilities with in-memory technologies that allow speeding up the performance, analytics, and other processes.

SAP HANA Security is always in the spotlight, however, this year, SAP HANA Security issue have been attracting special attraction of researchers. The current security update contains 5 SAP Security Notes addressing the flagship platform. The most dangerous of them are the following ones:

2424173: SAP HANA User Self-Service has a Missing Authorization Check vulnerability (CVSS Base Score: 9.8). An attacker can use a Missing authorization check vulnerability to access the service without authorization and use service functionality with a restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.

2429069: SAP HANA has a Session fixation vulnerability (CVSS Base Score: 8.8). An authenticated attacker can predict valid session IDs for concurrent users that are logged on to the system. Install this SAP Security Note to prevent the risks.

2424120: SAP HANA has an Information Disclosure vulnerability (CVSS Base Score: 4.9). An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc), which will help them to learn about the system and to plan further attacks. Install this SAP Security Note to prevent the risks.

“The risk of these SAP HANA vulnerabilities is critical indeed. However, the likelihood of mass-exploitation is low as SAP HANA User Self-Service is enabled only on 13% internet-exposed SAP systems (according to a custom scan). There are numerous other services in SAP HANA, which are not enabled by default and susceptible to critical issues. For example, last month we helped SAP to close vulnerability with the same risk of remote authentication bypass but in other web service dubbed Sinopia.”

– commented Alexander Polyakov, CTO at ERPScan.

The aforementioned multiple vulnerabilities affecting Sinopia can be exploited together to crash applications on SAP HANA XS remotely without authentication.

The number of security patches addressing SAP HANA totals 51 (of note, one Note can close one or more security issues).

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.